QUESTION 121
Which of the following is the BEST approach when a risk practitioner has been asked by a business unit manager to exclude an in-scope system from a risk assessment?
A. Postpone the risk assessment.
B. Reject the manager’s request.
C. Facilitate the exception process.
D. Accept the manager’s request.
Correct Answer: C
QUESTION 122
Which of the following is the MOST important criteria for developing risk scenarios?
A. The risk is within appetite.
B. The risk is relevant.
C. The risk is quantifiable.
D. The risk is treatable.
Correct Answer: B
QUESTION 123
An organization’s infrastructure team has implemented USB encryption software to address the risk of data loss through portable media. Which of the following is the risk practitioner’s BEST recommendation?
A. Review encryption procedures.
B. Accept residual risk.
C. Assess related business impact.
D. Verify control effectiveness.
Correct Answer: D
QUESTION 124
Which of the following is accountable for ensuring the three lines of defense model is operating effectively?
A. Internal audit
B. Risk management team
C. Board of directors
D. Operational management
Correct Answer: C
QUESTION 125
Which of the following is the PRIMARY reason to ensure software engineers test patches before release to the production environment?
A. To detect incompatibilities that might disrupt the operation
B. To understand how long it will take to deploy the patch
C. To provide assurance that deployed patches have been properly authorized
D. To support availability by authorizing the release of the patch at the appropriate time
Correct Answer: A
QUESTION 126
Which of the following is MOST important to consider when identifying risk scenarios related to a third-party service provider?
A. Security incidents
B. Contractual terms
C. Data flow diagrams
D. Security questionnaires
Correct Answer: C
QUESTION 127
Which of the following would BEST mitigate the risk of unauthorized requests delivered by deepfakes to a high-risk operational area of an organization?
A. Out-of-band authorization verification
B. Up-to-date certificate revocation lists
C. A SIEM system
D. Key performance indicators (KPIs) for mission-critical systems
Correct Answer: A
QUESTION 128
Which of the following is the BEST indication that an organization is following a mature risk management process?
A. Attributes of each risk scenario have been documented within the risk register.
B. An organization-wide risk awareness program is in place.
C. The organization uses qualitative risk assessments.
D. The risk register is frequently utilized for decision-making.
Correct Answer: D
QUESTION 129
An IT team has realized that production data has been inadvertently overwritten. Which of the following would have BEST prevented this error?
A. Backup and recovery controls
B. Change management controls
C. Access monitoring controls
D. Log monitoring controls
Correct Answer: B
QUESTION 130
A business is conducting a proof of concept on a vendor’s Al technology. Which of the following is the MOST important consideration for managing risk?
A. Use of a non-production environment
B. Adequate vendor support
C. Regular security updates
D. Third-party management plan
Correct Answer: A
QUESTION 131
Which of the following is the FIRST step when developing risk scenarios using a top-down approach?
A. Identify internal factors affecting the business.
B. Identify generic risk scenarios impacting the business.
C. Identify risk scenarios used in tabletop exercises.
D. Identify detailed risk scenarios affecting the business.
Correct Answer: A
QUESTION 132
Which of the following is the MOST important input into the risk identification process?
A. Risk taxonomy
B. Risk management budget
C. Enterprise roadmap
D. Business impact analysis (BIA)
Correct Answer: D
QUESTION 133
Which of the following is the BEST approach for obtaining management buy-in to implement additional IT controls?
A. Describe IT risk impact on organizational processes in monetary terms.
B. Present new key risk indicators (KRIs)based on industry benchmarks.
C. Provide information on new governance, risk, and compliance (GRC) platform functionalities.
D. List requirements based on a commonly accepted IT risk management framework.
Correct Answer: A
QUESTION 134
Which of the following is the BEST control to prevent unauthorized access to an organization’s critical assets?
A. Multi-factor authentication (MFA)
B. Data loss prevention (DLP)
C. Intrusion prevention system (IPS)
D. Intrusion detection system (IDS)
Correct Answer: A
QUESTION 135
Which of the following should be used to determine recovery time objectives (RTOs) and recovery point objectives (RPOs)?
A. Risk assessment results
B. Audit findings
C. Enterprise architecture (EA) maturity
D. Maximum tolerable downtime (MTD)
Correct Answer: D
QUESTION 136
Within the three lines of defense model, the responsibility for managing risk and controls resides with:
A. operational management.
B. the risk practitioner.
C. executive management.
D. the internal auditor.
Correct Answer: A
QUESTION 137
Which of the following is the BEST example of a key control indicator (KCI) for inappropriate access rights?
A. Percentage of applications for which annual risk assessments have been completed
B. Percentage of applications with risk scenarios that exceed thresholds
C. Percentage of applications with validated quarterly user access reviews
D. Percentage of applications with shared system access for administrators
Correct Answer: C
QUESTION 138
The frequency of monitoring for a key risk indicator (KRI) should be established PRIMARILY based on the:
A. timing of monitoring reports for senior management and the board.
B. alignment between the indicators and monitored processes.
C. threshold that management has set for tolerance of indicator false positives.
D. minimum time needed to remediate a risk identified by the indicators.
Correct Answer: B
QUESTION 139
Which of the following cloud service models is MOST appropriate for client organizations that want to maximize their control over management of the data life cycle?
A. Infrastructure as a Service (IaaS)
B. Software as a Service (SaaS)
C. Platform as a Service (PaaS)
D. Data as a Service (DaaS)
Correct Answer: A
QUESTION 140
For which of the following enterprise architecture (EA) domains should client organizations retain responsibility in a cloud service environment?
A. Middleware
B. Infrastructure
C. Application
D. Data
Correct Answer: D
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.